CVE-2025-52483CRITICAL 9.8EPSS p29.9%

CVE-2025-52483CVE-2025-52483

Description

Registrator is a GitHub app that automates creation of registration pull requests for julia packages to the General registry. Prior to version 1.9.5, if the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities) a shell script injection can occur within the `withpasswd` function. Alternatively, an argument injection is possible in the `gettreesha `function. either of these can then lead to a potential RCE. Users should upgrade immediately to v1.9.5 to receive a fix. All prior versions are vulnerable. No known workarounds are available.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.38% probability of exploitation · percentile 29.9% · 2026-06-18T12:00:27Z
Published2025-06-25
Last modified2025-09-19

Underlying weaknesses· 1

CWE-77

References

  1. https://github.com/JuliaRegistries/Registrator.jl/pull/448
  2. https://github.com/JuliaRegistries/Registrator.jl/security/advisories/GHSA-589r-g8hf-xx59

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-52480
CVE
CVE-2025-58371
CVE
CVE-2025-22204
CVE
CVE-2025-10894
CVE
CVE-2025-54416
CVE
CVE-2026-11572
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.